How to make a custom SSL certificate miner

You are here:
Estimated reading time: 2 min

Why do we need an SSL certificate miner?

The WAF module can only listen on HTTP but it needs the SSL Terminating module to be able to listen on HTTPS as well. This module can do this only if it has the SSL certificates of the domains at its disposal.
BitNinja has such a cert miner by default however this module in some cases might be unable to detect the SSL certs. In which case you need to make a new cert miner.

Before you begin to write your own cert miner make sure all of the required ports are open/ allowed on the server and your firewall (if you have one). Opening the ports might solve the issue altogether.

Required ports

Also, make sure that your certs are not password protected.

Where are your certs are located?

In order to make a working cert miner, you need to know where is the cert of each domain is located.
We will need the private key and the cert file and the name of the domain.

The cert file locations are diverse, they differ by, web server by, operating system or by the control panel.
For example, the /etc/ssl/certs/ directory is the most common however on Direct Admin the cert are located at /usr/local/directadmin/data/users/<insert domain name here>/domains/.
On Amazon Linux servers the certs are located at /etc/pki/tls/

What does a cert miner do?

You need to combine the private keys and the cert file of each domain hosted on your server into a .pem file and name the .pem file after the domain. The pem file needs to be located at
/opt/bitninja-ssl-termination/etc/haproxy/certs/

You also need to create the /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst and include the full path for each .pem file created in the previous step. It’s also required to include the domain name itself and the domain name with www. and the *. in front of the domain in order to use the cert for the subdomains.
It might be easier to just show an example for this:
/opt/bitninja-ssl-termination/etc/haproxy/certs/example.pem example www.example *.example

Now we just have to implement a script that does just that.

After the certificate miner is complete we recommend running the script via a cron job every 20-30 minutes.
This is required to make sure the .pem files are always up to date and include the newly added certs too.

Template

#!/bin/bash

#create the cert-list.lst file
echo > /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst

#gather the domain names where we have the cert files 
# an example for one of the cert locations is /etc/letsencrypt/live/example.com/cert.pem
for i in ` ls -F <location of every cert>/*/cert.pem | awk -F "/" {'print $5'}| sed 's/\.[.]*$//'` ;

#from now on $i will mean all the domains names

do
#combine the privatekey file and the cert file into the pem file pay attention to the files name
cat <location of every cert>/$i/privkey.pem <location of every cert>/$i/cert.pem > /opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem

#add the location of all the generated pemfiles to the cert-list.ls file
echo "/opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem $i www.$i *.$i" >> /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst

done
#remove empty lines if you want :)
sed -i '/^$/d' /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
  1. Locate the cert and private key of each domain. And include the location in the script as shown above
    e.g.: nano cert_miner.sh
  2. Make the script executable by issuing this command
    e.g.:chmod +x cert_miner.sh
  3. Run the script.
    e.g.: ./cert_miner.sh
  4. Test if the correct files are created with the correct names and contents
  5. Add the script to the crontab. You can generate the cronjob easily with this online tool.

Script (examples)

Each server is different, copying the script might not work in all cases.

In these scripts, we assume that the cert and private key files are located in the same directories with each domain.

DirectAdmin

#!/bin/bash

echo > /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
for i in `ls /usr/local/directadmin/data/users/*/domains/* | grep ".key"  | awk -F "/" {'print $9'} | sed 's/\.^.]*$//'` ;

 do

cat /usr/local/directadmin/data/users/*/domains/"$i".key /usr/local/directadmin/data/users/*/domains/"$i".cert > /opt/bitninja-ssl-termination/etc/haproxy/certs/"$i".pem
echo "/opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem $i www.$i *.$i" >> /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst

done

Let’s encrypt

#!/bin/bash

echo > /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
for i in ` ls -F /etc/letsencrypt/live/*/cert.pem | awk -F "/" {'print $5'}| sed 's/\.[.]*$//'` ;

do
cat /etc/letsencrypt/live/$i/privkey.pem /etc/letsencrypt/live/$i/cert.pem > /opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem
echo "/opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem $i www.$i *.$i" >> /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst

done
#remove empty lines
sed -i '/^$/d' /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
Please do not hesitate to contact us at info@bitninja.io or via live chat from the Dashboard if you need help with this or anything else.
Views: 92